Understanding SNMPv3 and HP Web Jetadmin

Understanding SNMPv3 and HP Web Jetadmin

Table of contents

Overview

2

Introduction to SNMPv3

2

Use HP Web Jetadmin to manage SNMPv3 settings

2

HP Web Jetadmin and credentials

5

Discover SNMPv3 devices

6

SNMPv3 passphrases vs. keys

7

Notes

8

Troubleshooting

8

1

Overview

SNMPv3 (Simple Network Management Protocol, version 3) is a secure management protocol that is used to encrypt data and require user authentication on devices being managed from within applications like HP Web Jetadmin. HP Web Jetadmin is fully compatible with SNMPv3, but there are some administrative best practices and rules that should be understood and followed. This document relates to HP Web Jetadmin 10.x versions.

HP recommends keeping your HP Web Jetadmin installation at the latest version available at www.hp.com/go/webjetadmin. More information can be found by visiting the HP Web Jetadmin support page.

Best practices: When using HP Web Jetadmin to manage SNMPv3 devices, HP Web Jetadmin should be the only configuration agent used in setting up SNMPv3. Notes later in this document show the complexities that exist when SNMPv3 settings are managed from outside of HP Web Jetadmin.

Introduction to SNMPv3

SNMP is the primary means HP Web Jetadmin uses to communicate with and manage devices. As the administrator manages devices with HP Web Jetadmin features, HP Web Jetadmin communicates with the devices through functions known as Set and Get operations. Of course, this description is merely preliminary because the SNMP communication protocol is based on a very structured and mature RFC (Request for Comment, Internet Engineering Task Force). Basic SNMP will be called SNMPv1/v2 in this document.

SNMPv3 provides a layer of security for device management communication, including cryptographic authentication and data confidentiality (encryption). SNMPv1/v2 transmits all data on the network, including data that might be sensitive, in plain text. This means that tools such as network sniffers might be used to monitor the SNMPv1/v2 transmissions, such as Get and Set SNMP Community Names. SNMPv3 adds data encryption, which reduces the risk of data being sniffed from the network. Also, with SNMPv3, authentication between the device and HP Web Jetadmin is enforced.

SNMPv1/v2 Get and Set Community Names are passed through the network as clear text characters. In practice, these items have been used as passwords, but actually provide only limited security value. In environments with elevated security risks, SNMPv3 should be given serious consideration over the less secure Get and Set items. SNMPv3 credentials make sniffing data very difficult, which adds security to device management communication.

Use HP Web Jetadmin to manage SNMPv3 settings

All HP devices that are capable of management via applications such as HP Web Jetadmin are set to SNMPv1/v2 by default. In order to enable SNMPv3, the device must first be configured by an application such as HP Web Jetadmin.

Depending on the device and firmware, you can configure the device with one of the following configuration options: SNMP Credentials – FutureSmart 3 and Non-FutureSmart Devices or SNMP Credentials – FutureSmart 4.5.

In Figure 1, a device is set up for SNMPv3 using the SNMP Credentials – FutureSmart 3 and Non-FutureSmart Devices configuration option in HP Web Jetadmin. Note that in this figure only one device in a device list is selected for the SNMPv3 setup.

2

image2

Figure 1: SNMP setup (single device)

NOTE: This option was previously called SNMP Version Access Control.

To communicate with an SNMPv3 device, HP Web Jetadmin must have the following elements:

User Name—The account identity allowed access via SNMPv3. Example: admin1.
Authentication Passphrase—The first secure string that is stored securely to the device and that must be validated at each SNMPv3 communication from this point forward. The item is used to allow the device to authenticate the sending entity (HP Web Jetadmin) and the communication being sent. Example: oncewasasmallcat.
Privacy Passphrase—The second secure string that is stored securely to the device and that must be validated at each SNMPv3 communication from this point forward. This item is used to encrypt the communication being sent to and from the device. Example: oncewasasmalldog.

SNMPv3 settings should be used to either completely disable SNMPv1/v2 communication or to disable write-mode, leaving SNMPv1/v2 readable by any managing agent, such as another installation of HP Web Jetadmin. The setting shown in Figures 1 and 2, SNMPv1 read-only, can be used to allow read-access. Some cases might require that SNMPv1 be completely disabled in order to protect all device data. This is possible by selecting the SNMPv1 disabled option.

3

image3

Figure 2: SNMP in the HP Web Jetadmin configuration template

HP Web Jetadmin can be used to configure SNMPv3 on many devices at once. When the SNMP Credentials configuration option is displayed with multiple devices selected from a device list, HP Web Jetadmin displays blank values until the administrator adds values (credentials) to these fields. Figure 2 shows the SNMP Credentials – FutureSmart 4.5 configuration option as displayed by the HP Web Jetadmin Create Device Configuration Template wizard. Notice that there are three choices in this configuration item when it is displayed as a template or when multiple devices are selected from a device list:

Enable SNMPv3
Modify SNMPv3
Disable SNMPv3

Templates can be applied directly to one or more devices, to a device group, and through a Group Policy. With a Group Policy, the template settings take effect when a device is added as a member of a device group or removed from a device group membership. A common practice with Group Policies is to set up an automatic group that applies these templates when HP Web Jetadmin automatically populates devices into groups based on group filter criteria.

4

HP Web Jetadmin and credentials

In addition to the differences between SNMPv3 and SNMPv1/v2, it is important for administrators to consider how HP Web Jetadmin interacts with devices that have credentials and security features set via the Credentials Store. Important points include:

If a device is discovered using SNMPv3 or configured with SNMPv3 by HP Web Jetadmin, the mode of communication from that point forward includes SNMPv3.
SNMPv3 credentials are stored uniquely in the HP Web Jetadmin Credentials Store. HP Web Jetadmin begins each communication session by retrieving these credentials and using them to both authenticate and communicate securely with the device. The Passphrase portion of SNMPv3 credentials are added to HP Web Jetadmin using character strings, such as: oncewasasmallcat.

NOTE: Some legacy devices require the user to enter in the HP Embedded Web Server (EWS) interface as 16-byte hexadecimal strings. These two interfaces differ significantly. For more information, see SNMPv3 passphrases vs. keys.

All SNMPv3 credentials remain in the Credentials Store until they are:
Changed by an administrator via HP Web Jetadmin
Cleared from the Credentials Store by the administrator

When HP Web Jetadmin no longer has a valid password in the Credential Store or when no valid credential value exists, HP Web Jetadmin prompts the administrator to add a valid credential through the interface shown in Figure 3. Adding credentials via the Needed Credentials dialog is simple. After the credential enables communication with the device, HP Web Jetadmin stores it and continues using it as a seamless background operation. For more information about the Credentials Store, see the Data Security for HP Web Jetadmin white paper. This white paper is available from the HP Web Jetadmin support page (in English).

image4

Figure 3: HP Web Jetadmin requires SNMPv3 credentials

5

Discover SNMPv3 devices

The HP Web Jetadmin instance that performs discovery on a network might not always be the SNMPv3 configuration agent. It is possible for devices to be initially configured via one HP Web Jetadmin instance, while a new instance discovers devices. In any case, HP Web Jetadmin must have SNMPv3 discovery enabled or it will not discover devices configured in SNMPv3. To enable HP Web Jetadmin to discover and manage devices using SNMPv3, go to Tools > Options > Device Management > Device Discovery, enable Discover SNMPv3 devices, and click Apply. The system is now capable of discovering and managing SNMPv3 devices.

Another aspect of discovering SNMPv3 devices is ensuring that the credential is included in the discovery itself. HP Web Jetadmin needs the SNMPv3 credential for even basic management communication, beginning with proper discovery. A few options exist to bring about a successful SNMPv3 device discovery. First, the discovery interface itself has a tool dedicated to adding credentials to a specific discovery or to a discovery template. Figure 4 shows the device discovery settings interface that allows adding SNMPv3 and other credentials. This pane is available as live discoveries are run or in the Create Discovery Template wizard when you want to store discovery settings.

image5

Figure 4: Adding SNMPv3 credentials to discovery

Another way to ensure SNMPv3 credentials are included in a discovery is to add them to the Global SNMPv3 Credentials feature (Figure 5). This feature can be understood as a global try-list. Any time HP Web Jetadmin encounters a device with a credentials set, it first looks into the Credentials Store. If nothing is found in the Credentials Store, it attempts whatever the administrator has configured within the global feature. The global feature is not restricted to SNMPv3 credentials. Any of the other credential types, such as SNMP Community Names or File System Password, can be added.

6

image6

Figure 5: Global SNMPv3 Credentials

NOTE: HP Web Jetadmin discoveries are slowed when many credentials are added to the Global SNMPv3 Credentials feature. For each device that lacks credentials in the Credentials Store, HP Web Jetadmin must go through each global value until it either finds a working credential or exhausts the list.

SNMPv3 passphrases vs. keys

The HP EWS management interface allows access to many device settings. Both device and HP Jetdirect management settings can be viewed and adjusted from HP EWS. While you might expect these to be identical to the settings found in the HP Web Jetadmin configuration interface, this is not always the case for some legacy devices. For example, HP EWS might show SNMPv3 credentials as hexadecimal keys, while HP Web Jetadmin always has credentials configured with passphrases. This is a significant difference. HP does not recommend managing SNMPv3 from both interfaces on the same device or even within the same.

Best practices: Use the Global SNMPv3 Credentials feature to ensure that HP Web Jetadmin has enough information to discover your SNMPv3-protected devices. Limit the values you add to the global feature to avoid discovery performance issues.

When the SNMPv3 credential is configured from HP Web Jetadmin, the user adds a user identity and two passphrases to the interface. The passphrases are designed with human usability in mind and can be simple, easy-to-remember strings of letters and/or numbers. (The example given previously was oncewasasmallcat.) When HP Web Jetadmin sets up the device for SNMPv3 security, it transposes that phrase into a hex key using a secure hash technique of MD5 or DES, depending on the phrase. This is done in order to make it nearly impossible to derive the user passphrases from network utilities. So, while HP Web Jetadmin allows the user to work with friendly passphrases, the SNMPv3 communication between HP Jetdirect and HP Web Jetadmin uses very cryptic strings that prevent tampering with devices and data.

Best practices: If HP Web Jetadmin is initially used to configure SNMPv3 on devices, HP Web Jetadmin must always be used instead of HP EWS. Administrators can continue to use HP EWS as a management interface with the exception of SNMPv3 settings.

Some legacy HP EWS interfaces, however, require the user to enter hexadecimal keys rather than passphrases. For security reasons, it does not disclose the key values that are currently stored on the device. This means it is extremely difficult to manage SNMPv3 credentials from both HP EWS and HP Web Jetadmin. Therefore, when HP Web Jetadmin is the primary tool for managing a fleet, that contains older legacy devices, HP highly recommends that you use HP Web Jetadmin exclusively for managing SNMPv3 settings as well.

7

image7

Figure 6: Device configuration via HP EWS

Notes

Administrators need to know about many facets of device security, including protocols, interfaces, firmware, and more. HP offers many documents regarding device security, which can be found on the HP Web Jetadmin support page.
In addition to SNMP, HP Web Jetadmin also uses the HTTPS protocol to manage some device settings. This is especially true for many newer HP devices. HTTPS communication in this case is encrypted and prevents plain text monitoring and network sniffing. For more information, see Introduction to SNMPv3 on page 2). The Data Security for HP Web Jetadmin white paper outlines this protocol in more detail. This white paper is available on the HP Web Jetadmin support page (in English).
In general, HP Web Jetadmin should be used to configure all device security settings. The wide range of settings are best managed with templates, which can save administrators time by reducing repetitive tasks.

Best practices: When using HP Web Jetadmin templates to configure device security, keep security settings in separate templates. Security settings might need to be rotated on a periodic basis according to policy. Keeping these templates separate makes this easier to manage

Troubleshooting

HP Web Jetadmin performance can become noticeably slow when managing devices configured with SNMPv3.
All HP Web Jetadmin versions can process alerts using polling and SNMPv1/v2 traps. SNMPv3 traps are supported from HP Web Jetadmin 10.4 and later.

8

When a device discovered with SNMPv1/v2 is converted to SNMPv3, a new discovery might be required to re-register that device as configured with SNMPv3.

9

hp.com/go/getconnected

image8

Current HP driver, support, and security alerts

delivered directly to your desktop

© Copyright 2020 HP Inc. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

c01941786, Rev. 5, September 2020

Leave a Reply 0

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.